UPDATED 18:34 EDT / FEBRUARY 06 2023

SECURITY

VMware and governments warn of ransomware attack targeting unpatched ESXi servers

VMware Inc. and government agencies in Europe are warning users of VMware’s ESXi hypervisors today to ensure their software is up to date following the emergence of a widespread ransomware campaign targeting unpatched installs.

The attacks first emerged late last week and target a vulnerability in VMware ESXi servers that was patched in 2021, officially designated CVE-2021-21974. The issue is a heap overflow vulnerability in OpenSLP used in ESXi in certain versions of 6.5, 6.7 and 7.0 of the software. OpenSLP is an open-source implementation of the IEFT Service Location Protocol.

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware advised when it released a patch in February 2021. The port used in the attacks has been disabled by default in all releases of ESXi since 2021.

Unfortunately, two years later numerous VMware EXSi users have not implemented the patch or upgraded their software. VMware noted in a blog post today that the attacks are targeting installations that are generally at the end of general support or significantly out-of-date.

The breadth of the attacks has gained government attention, with authorities in France and Italy issuing warnings. A technical bulletin from the French cybersecurity agency warned of the attack, while the Italian premier’s office said on Sunday that the attack affecting computing systems in the country involved “ransomware already in circulation.”

The warning in Italy followed a nationwide internet outage at Telecom Italia, which affected the streaming of some sports games. It’s not clear from reports whether the outage was related to the ransomware campaign.

“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere… highlights how important it is to update key software infrastructure systems as quickly as possible,” Stefan van der Wal, a consulting solutions engineer at security and networking company Barracuda Networks Inc., told SiliconANGLE. “It isn’t always easy for organizations to update software.”

In the case of this patch, for example, organizations need to disable essential parts of their IT infrastructure temporarily, he explained. “But it is far better to face that than to be hit by a potentially damaging attack.”

David Maynor, senior director of threat intelligence at cybersecurity training company Cybrary Inc., noted that the offensive community knows that although the operating systems that are run in virtualized environments are getting more secure, the underlying tools that wrap around the hypervisor are still very buggy.

“VMWare has had ongoing ESXi issues for years; however, you can still find bugs with a Kali Linux box and 10 minutes of training with fuzzer tools,” Maynor added. “It would be best if you were not exposing your ESXi management interface to the world.”

Photo: Robert Hof/SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU